ringkasan chapter 6 8 9 10 12 soa

7/23/2019 ringkasan CHAPTER 6 8 9 10 12 SOA

1/29

CHAPTER 6

IIA, CobiT, and Other Professional Internal Audit Standards

The key internal auditor standard is the Professional standards for the practice of internal auditing of

the institute of Internal Auditors (IIA), a set of guidance materials known as the Red Book by many

internal auditors. This chapter summarizes the current IIA standard and some of the exposure draft

proposed changes currently in process.

INSTITUTE OF INTERNAL AUDITORS STANDARDS FOR PROFFESIONAL PRACTICE

As the primary internal audit professional organization worldwide, the IIA has had a code of ethics as

well as a set of standards to support its definition of internal auditing:

Internal auditing is an independent, objective assurance and consulting activity designed

to add value and improve an organizations operations. It helps as organization

accomplish its objectives by bringing a systematic, disciplined approach to evaluate and

improve the effectiveness of risk management, control, and governance processes.

In many respects, the IIA has made changes to reflect the reality of changes in business processes

and internal control procedures. The professional internal auditors is obligated to be aware of any

changes to internal audit standards and to modify practices, if necessary, based on those standards

changes.

IIAs Code of Ethics

The IIAs Code of Ethics promotes an ethical culture in the profession of internal auditing. This code

is displayed in exhibit 6.1


2/29

Internal Auditings Professional Practice Standards

As the key internal audit professional organization, the IIAs internal auditing standards board

develops and issues standards that define the basic practice of internal auditing. These stnadards,

known as the Standards for the professional Practice of Internal Auditing, are designed to:

Deline basic principles that represent the practice of internal auditing as it should be


3/29

Provide a framework for performing and promoting a broad range of value added internal

audit activities

Establish the basis for the measurement of internal audit performance

Foster improved processes and operations

Internal Audit Attribute Standards

The IIA standards address the characteristics of organizations and individuals performing internal

audit activities and cover 13 broad areas listed by their standards paragraph numbers:

1000 purpose, authority, and responsibility. The purpose, authority, and responsibility of

the internal audit activity should be formally defined in a charter, consistent with the

standards, and approved by the board of directors.

1100 independence and objectivity. The internal audit activity should be independent and

internal auditor should be objective in performing their work.

1200 proficiency and due professional care. Engagement should be performed with

proficiency and due professional care.

1300 quality assurance and improvement program. The CAE should develop and maintain

a quality and improvement program that covers all aspects of the internal audit activity and

continously monitors its effectiveness.

Internal Audit Performance Standards

These standards describe the nature of internal audit activities and provide quality criteria againts

which their performance can be measured. There are six Performance Standards, outlined below

along with substandards and implementation standards that apply to compliance audits, fraud

investigations, and control self assessment projects.

2000 managing the internal audit activity: the CAE should manage the internal audit

activity effectively to ensure it adds velue to the organization. This standard covers six

substandards: planning, communication and approval, resource management, policies and

procedures, coordination, and reporting to the board and senior management.

2100 nature of work: internal audit activity includes evaluations and contributions to the

improvement of risk management, control , and governance systems.

2110 risk management: internal audit should assist the organization by identifying and

evaluating significant exposures to risk and contributing to the improvement of risk

management and control systems.


4/29

The 2120 and 2130 substandards cover control and governance. This proposed standard change

on governance is very appropriate and timely, given the SOA:

2130 governance: internal audit activity, consistent with the organizations structure,

should contribute to governance processes by proactively assisting management and the

board in fulfilling their responsibilities by: assessing and promoting strong ethics and values

within organization, assessing and improving the process by which accountability is ensured,

assessing the adequacy of communications about significant residual risks within the

organization, helping to improve the boards interaction with management and the external

and internal auditors, serving as an educational resource regarding changes and trends in

the business and regulatory environment.

2200 engagement planning: internal auditors should develop and record a plan for each

engagement.

2300 performing the engagement: internal auditors should identify, analyze, evaluate, and

record sufficient information to achieve the engagements objectives.

2400 communicating results: internal auditors should communicate their engagement

results promptly.

2500 monitoring progress: the CAE should establish and maintain a system to monitor the

disposition of results communicated to management.

2600 resolution of managements acceptance of risks: when the CAE believes some

auditee manager has accepted a level of residual risk that may be unacceptable to the

overall organization, the matter should be discussed with senior management.

IIA Standards in Todays SOA World

SOA has made internal auditors much more important in todays world of strong corporate

governance and effective internal controls. Internal auditors need a strong set of standards to

operate effectively under these rules, and the current IIA standards, along with the draft changes in

process, seem to very much satisfy those needs. While the basic concepts behind internal auditing

have really not changed, the current standards for the professional practice of internal auditing

provide important guidance and direction in the post SOA worls.

Todays experienced internal auditor should examine the current IIA standards and make certain

that all internal audit activities are consistent with these standards. The CAE should review the

standards with the audit committee to help them to better understand and appreciate internal

audits role in the organization.


5/29

CHAPTER 8

INTERNAL AUDIT FRAUD DETECTION AND PREVENTION

An internal auditor needs to understand the concepts surrounding fraud in order to effectively

perform audits that search for fraudulent activities. The common law definition of fraud is the

obtaining of money or property by means of false token, symbol, or device. Fraud can be costly to

any victim organization, and effective internal controls are an organizations first line of defense. A

comprehensive, fully implemented, any regularly monitored system of internal controls is essential

for the prevention and detection of losses that arise from fraud.

RED FLAGS: FRAUD DETECTION FOR AUDITORS

It is easy to analyze the facts after

a fraud has been discovered as a

lesson learned exercise, but

auditoes should use a skeptical

eye to look for indicators of

possible fraudulent activities in

advance. They should look for

what are called red flags. Exhibit8.1 lists a series of red flags that

may point to potential financial

fraud activities.

None of these is an absolute

indicator of fraud, but auditor

should always be skeptical in their

reviews and be aware of such

warning signals. When an auditor

sees evidence of one or more of

these or other red flags, it is time

to dig a little deeper.

Unfortunately, internal auditors

often fail to detect frauds for

several reasons:


6/29

Auditors have an unwillingness to look for fraud. Due to limited fraud training or the lack of

experience with past fraud incidents, auditors historically have not looked that hard for

fraud. They have tended to view fraud investigation as a police detective type of activity, not

their prime responsibility.

Too much trust is placed on auditees. Internal auditors, in particular, try to maintain a

friendly, cordial attitude toward people in their organization. Because thay encounter these

same people in the company cafeteria or at an annual company picnic, there is usually a

level of trust here. Internal auditors quite correctly try to give their auditees the benefit of

the doubt.

Not enough

emphasis is placed on audit

quality. Internal audit

findings often encounter

some of the same red flags

mentioned in exhibit 8.1.

audit report findings may

point out such matters as

missing records or accounts

that were not reconciled.

However, quality reviews of

the auditors work often do

not raise potential fraud

related issues.

Fraud concerns

receive inadequate support

from management. The hint

of a possible fraud requires

auditors to extend

procedures and dig a bit

deeper. However, audit

management may be

reluctant to give an auditor

extra time to dig deeper.

Unless there are strong


7/29

suspicious, audit managers may want the audit team to move on and stop spending time in

what they feel is an extremely low risk area.

Auditors sometimes fail to focus on high risk fraud areas. Fraud can occur in many areas,

from employee travel expense reporting to treasury function relations with offshore banks.

There may be a much greater risk of significant financial fraud in the latter, auditors often

tend to focus on the former. Although there can be many possibilities for fraud in employee

travel expense reporting, amounts often are not too significant. There is always a need to

focus on higher-risk areas.

Fraud is a word that can have many meaning, but we are referring to it in terms of fraud as a

criminal act.

To help detect fraud, auditors also need to have an understanding of why people commit fraud. An

organization can have the red flag environment described in exhibit 8.1, but it will not necessarily be

subject to fraudulent activities activities unless one or more employees decide to engage in fraud.

Exhibit 8.2 lists some

typical reasons for

committing a fraud.

These are all reasons

where strong internal

controls are in placeand the fraud is

typically committed

by only one person.

Although major frauds

involving senior

management

perticipation are

difficult to detect,

frauds that occur at

much lower levels in the organization are easier to identify with a proper level of auditor

investigation. However rather than just internal control violation, an internal auditor should think of

these items in terms of potential areas for employee fraud. Exhibit 8.3 is a checklist for some of

these old, classic fraud detection methods. Auditors have performed these procedures for years but

sometimes forget.


8/29

IIA STANDARD FOR DETECTING AND INVESTIGATING FRAUD

Through observation, internal auditors maybe in a better position to see a red flag than an external

auditor. the internal auditor is to be concerned about such matters as the possibility of wrongdoing

and should consider evidence of any improper or illegal activities in an audit.

Recognizing that it may be difficult to detect fraud, IIA Standard 1210.A2 provides the guidance: the

internal auditor should have sufficient knowledge to identify the indicators of fraud but is not

expected to have the expertise of a person whose primary responsibility is detecting and

investigating fraud. Our italicized phrase recognizes that internal auditors are not expected to have

the expertise to deal with fraud issues.


9/29

This same fraud

standard is supported

by an IIA practice

advisory, 1210.A2-1

identification of fraud.

Despite the words from

the standard that

internal auditors are

not expected to have

the expertise, the

supporting practice

advisory provides an

internal auditor with

some guidance on

detecting and

investigating fraud. We

have included an

adapted portion of this

practice advisory:The IIA practice

advisory does not really educate internal auditors on red flag types of conditions that might suggest

potential fraudulent activity. Rather, it suggests that if an organization does not have good policies

and procedures, or lacks a code of conduct, such an environment could encourage fraud.

FRAUD INVESTIGATIONS FOR INTERNAL AUDITORS

Fraud related investigations cause internal auditors to operate rather differently from normal

financial or operatinal audits. In any fraud related review, auditors should concentrate on three

major objectives:

1) Prove the loss. Fraud related reviews usually start out with the finding that someone stole

something. The investigative review led by internal audit should assemble relevant material to

determine overall size and scope of the loss.

2)

Establish responsibility and intent. This is the who did it? step. As much as possible, the audit

team should identify everyone responsible for the matter and determine if there was any

special or different intent associated with the fraud action.


10/29

3) Prove the audit investigative methods used. The investigative team needs to be able to prove

that its fraud related conclutions were based on a detailed, step by step investigative process,

not just a wild, uncoordinated witch hunt. The review should be documented using the best

internal audit review processes. Of particular importance here, all documents used need to be

secured.


11/29

CHAPTER 9

ENTERPRISE RISK MANAGEMENT, PRIVACY, AND OTHER LEGISLATIVE INITIATIVES

ENTERPRISE RISK MANAGEMENT

This section discuss overall risk management as well as what will soon become a common new term

or concept, Enterprise Risk Management (ERM). Although ERM concerns the overall organization,

internal auditors ned to understand how to use risk management to evaluate and plan individual

audit projects. The chapter briefly discusses risk management concepts with an emphasis on their

applicability to individual internal audit projects.

Risk Assessment for Internal Auditors

Internal auditors have a need to understand and control the risks surrounding their individual audit

plans and activities. Project managers have used risk management approach for some years, and this

is not a new rule or tool for internal auditors. However internal auditors often do not use a formal

risk management approach in planning and completing audit projects. Every internal audit faces a

range of uncertainties ranging from having no information about some subject area to total certainty

and complete information, and internal audits should be planned and managed with these concepts

in mind. Exhibit 9.3 shows this uncertainty spectrum, ranging from none to complete information.

PMIs literature suggests that project risk should be managed following 4 phases of risk

management:


12/29

1) Risk Management Phase One: Identification. The internal auditor shoul attempt to identify all

the possible risks that could iimpact the success of an upcoming internal audit project, ranging

from high impact/ high probability all the way to low impact/low probability.

2) Risk Management Phase Two: Assessment. Having identified a range of risks, a next step to

rank them in terms of the type of risk, their potential impact, and probability.

3) Risk Management Phase Three: Response. The internal audit risk manager should develop

appropriate response strategies. These strategies may range from the simple decision to accept

the risk if ti occurs to comprehensive plans for deployment of resources to control a risk event.

4) Risk Management Phase Four: Documentation. Other project manager often miss this step, but

internal auditors should be well aware of the need for documentation. However, this overall

risk management process always should be documented in some detail.

CONCURRENT WITH SOA: OTHER LEGISLATION IMPACTING INTERNAL AUDITORS

The Gramm Leach Bliley Act

Gramm Leach Billey Act is a privacy related set of requirements that aim to protect consumers

personal financial information held by financial institutions. With GLBA these nontraditional

financial institutions are now regulated by the Federal Trade Commission (FTC). An internal

auditor working for a bank or insurance company today probably has been involved already with

GLBA and its privacy related provisions.

Financial Privacy Rule

Consumer frequently encounter the GLBA financial privacy rule today when they receive a note from

a credit card provider talking about privacy rules. An internal auditor should recognixe that all

personal financial information is very private and cannot just be arbitrarily sold or otherwise

distributed. Internal auditors working with any financial institutions or applications should be aware

of how GLBA privacy rules apply to their organization.

GLBA Safeguards Rule

The acts safeguards rule requires financial institutions to have a security plan in place to protect the

confidentiality of personal consumer information. An organization can take 5 steps to start

becoming compliant with the GLBA safeguards rule:

1)

Environmental risk analysis.

2)

Designing and implementing safeguards

3)

Monitoring and auditing


13/29

4) Constant improvement program

5) Overseeing security providers and partners

The safeguard rule applies to a wide range of providers of financial products and services, including

mortgage brokers, nonbank lenders, appraisers, credit reporting agencies, proffesional tax

preparers, and retailers that issue their own credit cards.

GLBA Pretexting Provisions

GLBA prohibits pretexting the use of false pretenses, including fraudulent statements and

impersonation to obtain consumers personal financial information. GLBA is one of the new rules

that will impact many internal auditors, particularly those in any type of financial institution.

HIPAA and Internal Auditors

The Health Insurance Portability and Accountability Act (HIPAA) will have a major impact on the

privacy and security of personal medical records and other personal records. The original HIPAA

legislatin had 4 primary objectives:

1)

Ensure health protability by eliminating preexisting condition job locks

2)

Reduce healthcare fraud and abuse

3) Enforce standards for health information

4)

Guarantee security and privacy of health information


14/29

CHAPTER 10

RULES AND PROCEDURES FOR INTERNAL AUDITORS WORLDWIDE

This chapter looks at SOA from international perspective. Although some rules are yet to be

released, we look at the act from the focus of a non US corporation. The emphasis will be on internal

auditor responsibilities. The chapter also provides an overview of International Auditing Standards

(IAS), a set of guidelines with US roots that are now envolving into their own set of guidance

standards.

Many professionals have seen the words ISO registered included in customer brochures and other

advertising materials. Although the US often pushes its standards on the rest of the world, ISO (the

International standards Organizations) is an international set of guidelines that many US

organizations have adopted. ISO is important for todays global economy and international audit can

help to ensure effective ISO compliance. ISO quality standards, the ISO registration process, and ISO

quality audits are introduced in this chapter.

This chapter also introduces the Information Technology Infrastructure Library (ITIL) of service

delivery and support processes, an important set of guidance material that originated in the UK, is

common in Europe, has become established in Canada, and is just being reduced in the US. Although

not a new rule, ITIL represents some best practices procedures that should become better

recognized by internal auditors worlwide.

SOA INTERNATIONAL REQUIREMENTS

Foreign companies are required to provide certification of their financial statements by their chief

executive officers (CEOs) and chief financial officers (CFOs). Thus, foreign CFOs and CEOs are

subjecting themselves to possible US legal liabilities. For violators, the prosecution process may be

challenging, but a foreign national who is even indicated unde a US law will have trouble visiting the

US until the matter is resolved. Foreign registered organizations must either begin to comply with

SOA rules or seek delisting of their securities that are registered on US exchanges. At the time of this

publication, only a few foreign companies have openly opted out of the US markets because of this

new SOA regulatory environment.

In years to come there will be a move toward tighter governance sandards in all major foreign

countries, makin gthose SOA and related regulations more palatable. This chapter discusses the

increasingly important International Accounting and Auditing (IAA) standards, the Committee of

Sponsoring organizations (COSO) international control standards worlwide, such as Canadas Criteria

of Control (CoCo), and the ISO registration process.


15/29

INTERNATIONAL ACCOUNTING AND AUDITING STANDARDS

The ISA auditing standards are somewhat consistent with the US pre-SOA statements of Auditing

Standards (SAS documents) and probably will be consistent with the audititng standards to be issued

under PCAOB as well. Exhibit 10.1 lists the current ISA auditing standards. Similar to the earlier SAS

process in the US, ISAs are released after publication of an exposure draft.


16/29

To provide a flavor of these standards, exhibit 10.2 shows ISA 610 on considering the work of

international auditors.


17/29


18/29


19/29


20/29

The International Accounting Standards Board (IASB) publishes accounting standards in a series of

pronouncements called International Financial Reporting Standards (IFRSs). Those pronouncements,

designated international accounting standards, provide a basis for all countries worldwide and in

particular, provide accounting standards for developing countries that do not have established

auditing standards.

For internal auditors, the IIA standards as discussed in chapter 6, are international standard that

apply to internal audits no matter what the country. International auditors may encounter different

accounting standards or even different local financial statement auditing standards, but they always

should follow the overall IIA professional standards. It is almost certain that the ISA and IAS

standards will take the place of country by country standards, with the exeption of the US with its

international leadership role. The information systems audit and control association (ISACA) control

objectives for information and related technology (CobiT) framework also is a worldwide standard.


21/29

COSO WORLDWIDE: INTERNATIONAL INTERNAL CONTROL FRAMEWORKS

CoCo: Canadas Variation of COSO

According to CoCo, control companies those elements of an organization including its resources,

systems, processes, culture, structure, and tasks that, taken together, support its people in the

achievement of the organizations objectives. CoCo emphasizes that the essence of control is

purpose, commitment, capability, monitoring, and learning within the internal control framework, as

presented in exhibit 10.3

The criterion for commitment, for example, consists of these areas:

Shared ethical value, including integrity, should be establishes communicated, and practiced

throughout the organization.

Human resource policies and practices should be consistent with an organizations ethical

value and with the achievement of its objectives.

Authority, responsibility, and accountability should be clearly defined and consistent with an

organizations objectives so that decisions and actions are taken by the appropriate people.

An atmosphere of mutual trust should be forested to support the flow of information

between people and their effective performance toward achieving the organizations

objectives.

The CoCo model has similar detailed criteria for its other 3 major elements. Based on these

elements, the model helps to shape internal control concepts while developing a new terminology

that might become codified in future standards. The CICA CoCo guidance goes on to state that

managements overriding objective is to ensure, as far as practical, the orderly and efficient conduct


22/29

of the entitys business. Management discharges its internal control responsibilities through action

directed to:

Optimizing the Use of Resources. Internal control assists management in optimizing the use

of resources by ensuring as far as practical that reliable information is provided to

management for the determination of business policies and by monitoring the

implementation of those policies and the degree of compliance with them.

Prevention or Detection of Error and Fraud.A management internal controls objective is

the prevention and detection of unintentional mistakes or errors and fraud the intentional

misrepresentation of financial information or misappropriation of assets. The guidance goes

on to state that any control should be weighed againts the relative likelihood of error and

fraud occuring and the consequences if any were to occur, including their effect on the

financial statements.

Safeguarding of Assets. An organizations assets shoul be safeguarded, partly through

internal controls and partly through business policies. Internal control protects against loss

arising from unintentional exposure to risk in processing transactions or handling related

assets. The degree of intentional exposure to risk is determined by business policies.

Maintaining Reliable Control Systems. These are policies and pocedures established and

maintained by management to collect, record, and process data and report the resulting

information or to enhance the reliability of such data and information. Management

requires reliable control systems to provide information necessary to operate the entity and

produce such accounting and other records necessary for the preparation of financial

statements.

The preciding paragraph have briefly outlined the CoCo framework. CoCo represents a tighter, easier

to grasp model of internal control than the somewhat complex COSO framework. The CoCo control

framework represents a different way of thinking about internal control and provides a good way for

managers to consider how their organizations are performing.

Internal Control Standards in the United Kingdom

The UK had some of the same concerns as th US regarding improper financial reporting during the

1990s. Although its focus was more on inappropriate statements made by directors, it also included

failures of internal control. The result of a 1999 study similar to the us Tradeway Commission report,

oriented toward directors of public companies, places a strong emphasis on objective setting, risk

identification and risk assessment when evaluating internal controls. The report calls on directors to

regularly consider:


23/29

The nature and extent of the risks facing the company

The extent and categories of risk that it regards as acceptable for the company to bear

The likelihood of those risks materializing

The companys ability to reduce the incidence and impact on the business risks that do

materialize

The costs of operating particular controls relative to the benefit thereby obtained in

managing the related risks

What is significant about the Turnbull approach is the emphasis on understanding business objective

and then analyzing risks as first steps in designing effective internal controls. The turnbull report

then suggests a framework for evaluating the effectiveness of internal controls based on

understanding the risks, designing controls based on those risks, and performing tests to evaluate

the controls.

Although there are some differences in the text, the report provides the same three basic objectives

of internal controls as do COSO and CoCo: effectiveness and efficiency of operations, reliability of

internal and external financial reporting, and compliance with applicable laws and regulations. The

really important concept of the turnbull approach is the emphasis on risk assessment. It states that

emphasis should be placed on developing controls for high impact and higher likelihood risks.

Internal Control Frameworks Worldwide

With the wide range of independent national accounting authorities and some differences in

business practices, there are some variations in internal control frameworks or models worldwide.

The turnbull report states an internal audit function should be able to:

Provide objective assurance to the board and management as to the adequacy and

effectiveness of the companys risk management and internal control framework

Assist management to improve the processes by which risks are identified and managed

Assist the board with its responsibilities to strengthen and improve the risk management

and internal control framework

Developed before SOA this is excellent guidance for internal audit to understand risks and to help

improve the internal control sturcture in any organization, no matter where in the world it is based.

ISO AND THE STANDARDS REGISTRATION PROCESS

ISO standards have been in place for some years and the quality auditors, have been responsible for

auditing according to the ISO standards. With the ever increasing globalization of business, however


24/29

all internal auditors should have an understanding of these ISO 90000 quality standards as well as

the process for achieving ISO certification.

ISO 90000 Quality Standards: Overview

The ISO quality standards important to internal auditors are:

ISO 9000:2000, Quality Management Systems Fundamentals and Vocabulary. This

standard is strating point and defines the fundamental terms and definitions used in the ISO

9000 family

ISO 9001:2000, Quality Management Systems Requirements. The requirements standard is

used to assess the ability to meet customer and applicable regulatory requirement and to

address customer satisfaction. This is the only standard in the ISO 9000 family againts which

a third party certification can be implemented.

ISO 9004:2000,

Quality Management

Systems Guidelines for

Performance Improvement.

This standard provides

guidance for continual

improvement of quality

management systems to

benefit all parties through

sustained customer

satisfaction.

Exhibit 10.4 describes this

ISO based Quality

Management

Implementation process.


25/29

The overall ISO process is one off establishing effective documentation over existing procedures and

process.


26/29

Quality Audit and Registration

Although neither IIA internal nor AICPA financial assets auditors give much attention to ASQ quality

auditors in their proffesional literature, there are some strong analogies among the three groups of

auditors. Quality auditor are based in the ISO standards just discussed. Management should have

established quality processes as part of normal operations and will be reviewing compliance to those

standards through internal self checks or reviews by the organizations quality audit function.

ISO standards provide guidance to establish and maintain an ongoing set of quality audits for an

organization. They are based on what was called a Plan Do Check Act cycle. Under this, the key

actions to define an audit program are:

Establish the objectives and extent of the audit program

Establish responsibilities, resources, and procedures

Ensure the implementation of the audit program

Monitor and review the audit program to improve its efficiency and effectiveness

Ensure that appropriate program records are maintained

Exhibit 10.5 illustrates the tiered level of ISO quality documentation.


27/29

In our discussion of new rules for internal auditors, we have introduced the ISO continous

improvement and quality audit process only very briefly. Quality auditors are moving out of the

production floor and are more frequently calling themeselves internal auditor.

Exhibit 10.6 summarizes the major principles behind ISO 9000. If an internal auditors organization is

already involved in an ISO registration effort, internal audit should get involved with the process,

helping where it can and otherwise embracing ISOs concepts.


28/29

CHAPTER 12

SUMMARY: INTERNAL AUDITING GOING FORWARD

The prime objective of this book has been to describe the major elements of the Sarbanes Oxley Act

(SAO) and its impact on corporate governance, financial reporting and internal auditing. SOA has had

a major impact on the public accounting industry and its operational organization, the American

Institute of Certified Public Accountants (AICPA). Auditing standards will no longer be set by the

AICPAs Auditing Standards Board, the somewhat congenial process of external auditor peer reviews

and self governance has changed to a rule based environment, and chief financial officers (CFOs) are

faced with the danger of personal criminal liability for issuing fraudulently incorect financial

statements.

Chapter 9s discussion of HIPAA and GLBA are two example of legislative initiatives to protect this

personal privacy, but effective internal controls implemented by organizations also will help to

provide this protection.

FUTURE PROSPECTS FOR INTERNAL AUDITORS

The future looks brighter than ever for internal audit professional. Shortly after the enactment of

SOA and going forward but we do not have any strong statistics here the job market for internal

sudit proffesioanal in the United States has increased. Newly impowered audit committees arerealizing that their organizations internal audit functions are an important component of overall

corporate governance. Internal auditor and their professional organization, the iIA, are accepting

this challenge and the Information Systems Audit and Control Association (ISACA) also has promoted

this governance concept.

Internal audit function need to accept this new challenge. The designated accounting and financial

expert on the audit commettee needs the help of internal audit to explain internal control issues

within the organization, to better assess audit risks, and to plan and perform effective internal

audits. Internal audit now typically has a level of responsibility for SOA section 404 reviews of

internal controls in the organization; the external auditors merely attest to the adequacy of that

review. This is a very major change that will alter the relationships between internal and external

auditors. Prior to the implementation of SOA, external auditors often assessed internal control risks,

did some of the audit work themeselves, and then asked internal audit to perform other review

work under their general supervision. Although there will be no doubt much planning and

coordination, internal audit through the audit committee - per SOA is often responsible for

reviewing and testing the results of internal controls and presenting those documentated results to


29/29

external audit. Some coordination will be necessary, but internal audit really is responsible here.

There will certainly be some rough spots until internal audit assumes full responsibility for internal

control reviews following the evolving PCAOB internal control auditing standards as well as the

requirements of the external audit firms, but internal audit is assuming a role of increasing

importance in the organization today.

Internal audit functions also need to get more involved in other SOA related issues. One area of

particular importance is the ethics and whistleblower function in an organization. As discussed in

chapter 2 and 3, the audit committee is responsible for establishing a financial reporting related

whistleblower function, an organization shoul consider expanding any such program to all functions

in an organization and including all employees and other stakeholders. Although such functions can

be managed by a human resources function or some specialized ethics function, internal audit and

its chief audit executive (CAE) should get their hands on such functions to assess that they are in

compliance with SOA and meet the expectations of the audit committee.

SOA has introduced a wide set of new rules for corporate governance, financial reporting, and

auditing. This book has introduced the Sarbanes Oxley Act to internal auditors and other interested

parties, including audit committee members and corporate financial and general management. We

also have introduced some other new rules and technology trands that will impact internal controls

and corporate governance going forward.

New rules are never sealed in cement but tend to change as society, legislation, and businesspractices change. The corporate accounting scandals of recent years, the demise of the major public

accounting firm Arthur Andersen and the introduction of SOA have all been drivers for these

changes. In upcoming years, as the PCAOB becomes established or as we experience more

international auditing and accounting standards convergence, these rules will continue to evolve as

future new new rules

ringkasan chapter 6 8 9 10 12 soa

Documents